I am the Director of Civil Liberties at the Stanford Center for Internet and Society. I returned to Stanford after working with the internet boutique firm of Zwillgen PLLC. Before that, I was the Civil Liberties Director at the Electronic Frontier Foundation. I practice, speak and write about computer crime and security, electronic surveillance, consumer privacy, data protection, copyright, trademark and the Digital Millennium Copyright Act. From 2001 to 2007, I was Executive Director of CIS and taught Cyberlaw, Computer Crime Law, Internet intermediary liability, and Internet law and policy. Before teaching at Stanford, I spent almost a decade practicing criminal defense law in California.

The author is a Forbes contributor. The opinions expressed are those of the writer.

Last week, thanks to the Electronic Frontier Foundation’s excellent FOIA work, we got the gift of a newly declassified 2011 FISA court opinion. The opinion finds that the government misled the FISA court for over three years about the details of its illegal and unconstitutional surveillance programs. These lies hid from the court the fact that every year, the NSA is collecting at least 56,000 emails – and possibly many more — between innocent Americans who have no foreign connections and are suspected of no crimes. That’s bad, but the worst part of it is, when the government’s lies were finally exposed the FISA court demanded … that NSA analysts read our private messages right away, so they can be used or deleted more quickly. In other words, the government got not a slap on the wrist, but a pat on the back. President Obama and his intelligence officials keep telling us that we shouldn’t worry about NSA mass surveillance because the FISA Court is there to keep the NSA honest. Well, not so much.

Some background:

The NSA has been collecting the contents of Americans’ communications with people overseas since before the FISA Amendments Act of 2008 (FAA). The FAA legalized the practice and brought it under FISA court supervision. Under the FAA, the NSA is allowed to “target” foreigners reasonably believed to be outside the U.S. for foreign intelligence purposes. “Targets” are the people or entities from, to or about which, the NSA seeks information. But the NSA’s surveillance isn’t limited to messages to or from “targets”. The NSA may also look at messages of people who are communicating about a target, so long as one of the communicants is reasonably believed to be outside the U.S. The only messages the FAA says are categorically off-limits are those which the NSA knows in advance to be purely domestic – i.e., between only Americans.

Since 2008, the FISA court was under the impression – courtesy of the NSA’s assurances in numerous submissions to the court – that the agency’s surveillance system pulled one message at a time out of the ocean of data flowing over fiber optic cables, and that the procedures the NSA used to select messages for collection were quite accurate in both capturing only relevant messages and in avoiding the forbidden purely domestic communications.

Turns out, that’s all wrong. NSA’s systems don’t always pull single messages; rather, they regularly capture what the agency, with characteristic opacity, refers to as “Internet transactions.” An “Internet transaction” may be comprised of a single message – an “SCT”, in NSA-speak. But Internet transactions often contain multiple messages – the agency refers to this bundle of messages as an “MCT”. If only one message in an MCT is responsive to the NSA’s targeting terms, the NSA devices nonetheless pull the entire package of messages into the NSA databases. Further, MCTs can contain messages that have nothing to do with foreigners or foreign intelligence. NSA’s internal auditing, done at the FISA judge version of gunpoint, puts the number of improperly collected wholly domestic American messages at approximately 56,000 a year.

Despite this happening since before 2008, the first the FISA court learned of this practice was in a May 2011 letter from the NSA. Until that date, the NSA had falsely told FISA judges that its technical measures prevented domestic acquisition except for “theoretically possible” cases. This new information “fundamentally alter[ed]” the court’s understanding of the scope of NSA collection.

This third lie was also a big deal. The new information led the court to rule that the NSA every year was collecting at least 56,000 purely domestic communications that it was not permitted by law to collect, conduct that was illegal, unconstitutional, and potentially criminal.

So what did the court do when it found out it had been lied to, that purely domestic communications were fair game, that untold numbers of innocent people were being illegally spied on, and that all the safeguards in place needed to be rethought?

Nothing, really. The court suggested the NSA should train its analysts to notice when their queries turned up an MCT – i.e., an Internet transaction containing multiple messages — and then to look carefully at all the by-catch. If existing procedures allowed them to use anything in those purely domestic messages that they were never supposed to have collected in the first place, great! Otherwise, only after collection and review, should the information be deleted. The NSA adopted this approach, and continues to blithely collect Internet transactions containing wholly domestic communications between innocent Americans to this day.

So in the face of illegal, unconstitutional and potentially criminal conduct — conduct about which the NSA repeatedly lied to the FISA court — the FISA court “corrected” the problem by requiring … banner warnings that something might be an MCT, and an extra round of review by NSA analysts. The real problem – that the NSA regularly collects Americans’ most private communications that the law does not permit it to collect and lies about it to the FISA court – was simply waved away.

In other words, the NSA intentionally collects purely domestic American communications which it assured the American people were off-limits. But the FISA court allows the government to use these communications to criminally investigate us, and for foreign intelligence purposes. Section 3(b)(4) of the NSA’s “minimization” rules – i.e., the treatment of messages post-acquisition — requires NSA analysts to determine whether communications, whether domestic or foreign, are to, from, or about a target, or are reasonably believed to contain foreign intelligence information or evidence of a crime. So those wholly domestic communications that are supposed to be off limits under U.S. surveillance statutes, protected by the Fourth Amendment, and therefore never should have been collected in the first place? Those can be used by the NSA, or sent to the DEA, the FBI, the IRS or other law enforcement if they contain evidence of a crime. They can also be retained forever if they’re encrypted. The NSA will promptly destroy only the wholly domestic communications which clearly don’t contain foreign intelligence information.

The remaining communications — those that Americans have with people overseas, or which are not conclusively determined to contain no foreign intelligence information, are marked as having come from an MCT and then can be moved into the database of other collected communications. Analysts will later have to double check that these messages are not wholly domestic AND irrelevant to foreign intelligence, but following that check they can use and disseminate the by-catch under existing procedures applicable to all messages.

And remember, these rules allow the government to keep and analyze even purely domestic communications if they contain significant foreign intelligence information or evidence of a crime. They allow the government to collect and retain communications protected by the attorney–client privilege. And they permit the NSA to retain, forever, all encrypted communications.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.